back to article Whois is dead as Europe hands DNS overlord ICANN its arse

The Whois public database of domain name registration details is dead. In a letter [PDF] sent this week to DNS overseer ICANN, Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force. The letter also has …

  1. John Doe 6

    Actually it is a non-issue: The only GDPR problem in WHOIS is the personal information which may not by displayed - just remove content of those fields from the DB or replace it with the AS#.

  2. Voland's right hand Silver badge

    just remove content of those fields from the DB or replace it with the AS#.

    That is exactly the information which IPR trolls need to throw seize and desist and threat letters.

    They and specifically the entertainment industry lobby are the ones behind the current ICANN position as this will mean that they will now have to use a proper court order to make the SP disclose the end-user information.

  3. John Smith 19 Gold badge
    Unhappy

    "this will..now have to use a proper court order to make the SP disclose the end-user information."

    To which I think many are thinking "Boo f**king hoo."

    Coming for a decade and still not ready.

    Funny how it's the US that thinks it's laws apply everywhere and when other countries or institutions push back you hear that whiny corporate tone "Please don't do that, we can't, we're special."

    I despise corporate whining

  4. Yes Me Silver badge
    Childcatcher

    Unstable operation coming soon...

    "the stable operation of the Internet's unique identifier systems" has been possible for many years because it's possible to discover who is (ab)using any particular registration. And contact them if necessary for operational purposes.

    Changing this will make illicit or ham-fisted operations much harder to stop. It will be ironic if EU privacy rules make criminal activities easier to get away with.

    Don't they need to get all registrants to sign a waiver?

  5. Trollslayer Silver badge

    Re: Unstable operation coming soon...

    Assuming contact details are correct.

  6. Stuart Grout

    Re: Unstable operation coming soon...

    If operator's details are not correct the domain gets suspended as they are in breach of their agreement to provide and maintain correct details.

  7. Doctor Syntax Silver badge

    Re: Unstable operation coming soon...

    "Don't they need to get all registrants to sign a waiver?"

    The authors of GDPR saw that one coming. One aspect of the regulations is that you can't tie provision of a service to a waiver on data that GDPR covers. Breaking that one would just bring bigger fines.

  8. Lusty Silver badge

    Re: Unstable operation coming soon...

    “Changing this will make illicit or ham-fisted operations much harder to stop”

    You’ve completely misunderstood everything about this. Literally nobody is saying ICANN shouldn’t collect and store the information. They should and they will, just like Nominet do. For official purposes the information can still be requested through proper channels. The only difference is that our details won’t be available for anyone to access. They should never have been in the first place, and this case shows why GDPR is so important given how hard people are trying to keep doing things they shouldn’t have done in the first place. It’s always harder to get privacy back than to never let it go.

  9. Doctor Syntax Silver badge

    Re: Unstable operation coming soon...

    If operator's details are found to be not correct the domain gets suspended

  10. Anonymous Coward
    Anonymous Coward

    Re: Unstable operation coming soon...

    "And contact them if necessary for operational purposes."

    This problem has already been addressed. Any well setup domain has e-mail addresses as per RFC2142, i.e.:

    abuse@example.com

    hostmaster@example.com

    postmaster@example.com

    The solution is as simple as ICANN mandating these addresses are valid and if they're found not to be, you'll forfeit your domain registration, maybe after a few strikes.

  11. LDS Silver badge

    "If operator's details are not correct the domain gets suspended "

    Is so, many US registrars would be suspend wholly .Many of them hosted a large number of spammers and fake sites without giving a toss about it - as long as they got paid., even with stole credit cards. Most of them decided that it was more profitable to sell a large number of cheap domain names, without checking registration data - of course that means to close both eyes on who registered what.

    ICANN acts the same way, as long as it people are paid handsomely for looking at their bellies buttons, they don't care at all about actual issues and upcoming ones - as we've see in this case.

    GDPR wasn't meant against FB or Google - it was meant to protect citizens' data, regardless who collects and manages them.

  12. Anonymous Coward
    Anonymous Coward

    Re: Unstable operation coming soon...

    "you can't tie provision of a service to a waiver on data that GDPR covers"

    Citation needed!

  13. Anonymous Coward
    Anonymous Coward

    Re: Unstable operation coming soon...

    1997 called. It wants to know if you are the only person on the planet still following the RFC.

  14. Orv Silver badge

    WHOIS is a relic of an older, friendlier internet

    WHOIS contact details are a relic of the 1990s, when everyone ran fingerd and identd and sysadmins could solve problems by calling each other up for a friendly chat.

    Nowadays putting that kind of personal information publicly on the Internet is just asking to be scammed and abused. Last time I published my real phone number in a WHOIS record, I got about a dozen telemarketing and scammer calls a day for weeks. My phone is still largely unusable for incoming calls (because I just ignore it.) At this point it's just a way for registrars to make more money by selling "domain privacy" packages.

  15. Yes Me Silver badge

    Re: Unstable operation coming soon...

    "The only difference is that our details won’t be available for anyone to access."

    Exactly. So the public isn't able to discover who registered dodgybusiness.com without expensive and cumbersome due process. That seriously reduces consumer protection. Privacy is a two-edged sword and GDPR doesn't seem to recognise it. Fraudsters are pleased.

  16. John Brown (no body) Silver badge

    Re: Unstable operation coming soon...

    "Exactly. So the public isn't able to discover who registered dodgybusiness.com without expensive and cumbersome due process. "

    You are assuming that dodgybusiness.com was so inept as to register with their correct details. You are also misunderstanding the point of GDPR. Dodgybusiness.com is a business and so must publish it's contact details and is not protected in that way by GDPR. But they probably used a registrat that doesn't care or check the details anyway.

  17. Louis Schreurs BEng

    So the public isn't able to discover who registered dodgybusiness.com

    the public isn't interested in the first place, willing to keep their privacy shunned by F book without changing their privacy settings, much less actively looking up who is doing the rest of the dodgy interwebs hackingdoodledumbsies

  18. Steve 114
    Happy

    Re: Unstable operation coming soon...

    My registrar charges a few dollars a year to keep my ID 'private', standard option. I wonder if I'll get that service free now.

  19. Anonymous Coward
    Anonymous Coward

    Re: Unstable operation coming soon...

    "1997 called. It wants to know if you are the only person on the planet still following the RFC."

    1997 will need to come and ask me on IRC. :-)

    But I suspect so, it is becoming more and more apparent to me that I'm an odd little duck.

  20. Tomato Krill

    Re: Unstable operation coming soon...

    No, as long as they're *plausible* they will be accepted and validated by the automatic processes that verify data.

    They need to be valid data; they need not be *your* valid data.

  21. MrXavia

    Re: Unstable operation coming soon...

    "The only difference is that our details won’t be available for anyone to access. They should never have been in the first place"

    Glad that this is being changed.

    I wonder if companies house is allowed to continue under GDPR, I never understood how they were allowed to publish officers addresses without any comeback... Problem is once its published, you cant take it back.

  22. SImon Hobson Silver badge

    Re: Unstable operation coming soon...

    "you can't tie provision of a service to a waiver on data that GDPR covers"

    Citation needed!

    Try the ICO guide to GDPR.

    Basically, if you are saying that you won't provide the service without the person giving consent then that consent is't "freely given" - so don't bother.

    However, that doesn't automatically stop you collecting and processing data because you can collect and process information that is REQUIRED for the performance of a contract. In the case of domain registrations and whois, the registrar is entitled to collect certain information for performance of it's contract. BUT, making that publicly available via whois is not required for the performance of the contract and so must only be done with consent and the person must be able to withhold that consent without affecting the ability to have domains registered.

  23. Franco Silver badge

    Re: Unstable operation coming soon...

    MrXavia I was coming here to make that very point. As soon as I setup my own business and people saw it at CH I started getting spammed by IT resellers and dodgy accountants promising 95% take home. I really hope that they have their house in order for GDPR.

  24. Anonymous Coward
    Anonymous Coward

    Re: Unstable operation coming soon...

    " Citation needed!"

    Consent has to be freely given. Here for example is an explanation of the principal https://www.ivir.nl/publicaties/download/Computerrecht_2017_4.pdf

  25. Anonymous Coward
    Anonymous Coward

    Re: Unstable operation coming soon...

    That's just an opinion piece that borders on wishful thinking. I want to see chapter and verse of law.

  26. the spectacularly refined chap

    Re: Unstable operation coming soon...

    That's just an opinion piece that borders on wishful thinking. I want to see chapter and verse of law.

    Read the bloody regulations yourself then: it's not as if it isn't publicly available. The poster you originally responded to stated GDPR say this and you demanded a citation despite that in itself being one. Now the ICO counts as 'opinion' despite them being one party responsible for enforcing it.

    It's clear enough that your opinion is worth fuck all, your IQ is clearly way too low for you have anything meaningful to contribute and are far happier spouting meaningless tripe than even stopping to read the very references you demand.

    This is law and not subject to alternative facts if you happen not to like it. Yes, you can ignore it if you like but if it comes back to bitch slap you then you only have yourself to blame.

  27. Danny 14 Silver badge

    Re: Unstable operation coming soon...

    businesses are still covered with gdpr. ICANN is a data controller with data. That data might be personal data if an IT manager has his name and email address on there. Business or not, GDPR is about protecting data.

  28. Anonymous Coward
    Anonymous Coward

    Re: Unstable operation coming soon...

    > a shutdown of the full Whois will result in a spike in online scams

    Not really, since most scammers (a) give false details, (b) hide behind registrars who obfuscate the details for them, and/or (c) use short-lived domains and discard them when finished.

    > If operator's details are found to be not correct the domain gets suspended

    And with about 140 million domains in dot com alone, how much actual verification is done on each one, apart from sending a confirmation E-mail to the registered contact mailbox and checking it doesn't bounce?

  29. Anonymous Coward
    Anonymous Coward

    Re: Unstable operation coming soon...

    GDPR Article 7 (4)

    http://www.privacy-regulation.eu/en/article-7-conditions-for-consent-GDPR.htm

  30. Anonymous Coward
    Anonymous Coward

    Re: Unstable operation coming soon...

    > GDPR is about protecting data

    No. The GDPR is about protecting personal information.

  31. Aitor 1 Silver badge

    Re: Unstable operation coming soon...

    Nope.

    The illegal operators had fishy details.. while law abiding citizens put real data and big companies could throw them under the legal system bus.

    Same as with gun laws.

    I do recognize that some trollish ppl will be harder to stop, but ICANN must respect the law of the land.. even if they think it makes no sense.. as they do with China and Russia... yet dont want to do with the EU..

  32. Aitor 1 Silver badge

    Re: Unstable operation coming soon...

    of course.

    Yet most abuse@whatever from big companies will either give you the silent treatment or redirect you to a website using an automated mail.

  33. Jamie Jones Silver badge
    Happy

    Re: Unstable operation coming soon...

    It's clear enough that your opinion is worth fuck all, your IQ is clearly way too low for you have anything meaningful to contribute and are far happier spouting meaningless tripe than even stopping to read the very references you demand.

    Blimey! Some-one needs a hug! :-)

  34. Dazed and Confused Silver badge

    Re: Unstable operation coming soon...

    > I wonder if companies house is allowed to continue under GDPR

    I wonder whether the concept of a limited company will be allowed to continue under GDPR.

    The idea of Companies House publishing your details is because you are asking people you do business with to do so on the basis of trust. If you do business with a limited company you have to accept that you may not get paid and that ultimately their liability is limited to the share capital of the company (usually a couple of quid). So you need to be able to find out whether the directors are people you are prepared to trust. Publishing their details at least holds them (me) to a certain amount of accountability. If you aren't allowed to find out who they are why should you trust them? Business people being able to use the right to be forgotten to hide their past illegal behaviour is bad enough. Letting conmen have complete anonymity seems to be an unexpected consequence of the new rules, unless you subscribe to the black helicopter view of things.

  35. Anonymous Coward
    Anonymous Coward

    Re: Unstable operation coming soon...

    "I wonder whether the concept of a limited company will be allowed to continue under GDPR."

    Nope.

    GDPR, exactly like the DPD before it, sets out a series of justifications for processing data. Put into context that means that publishing data is absolutely legal under GDPR as long as you can suitably justify it. In the case of something like companies house, the fact that the law requires the CH register to be public trumps the protections in GDPR. Even if it did not then there would be a strong legitimate interests argument.

    ICANN have made no effort to come up with such a justification. Given that many registries already don't publish, that anyone can already register anonymously (for a fee, funnily enough) and the level of abuse of the public registries, such a justification is likely to simply not exist.

  36. Roland6 Silver badge

    Re: Unstable operation coming soon...

    >My registrar charges a few dollars a year to keep my ID 'private', standard option. I wonder if I'll get that service free now.

    If your registrar had any sense, they would have made 'private' their standard offering.

    There is no discount for positively opting out, because they now have to maintain records of your consent.

    In some respects, I'm a little lost as to why this is such a big issue, the EU registrars seem to already have in place the relevant mechanisms to protect their domain holders data they just seem to be reluctant to use them.

  37. Yet Another Anonymous coward Silver badge

    Re: "If operator's details are not correct the domain gets suspended "

    For official purposes the information can still be requested through proper channels

    Who gets to decide who are official ?

    Russian intelligence agency, Somalian warlord, MPAA, Milk Marketing Board ?

  38. Trollslayer Silver badge
    Mushroom

    Bunch of petty autocrats

    WIPO, EPO and so many others.

    About time they were woken up.

  39. Tomato42 Silver badge

    Re: Bunch of petty autocrats

    EPO, despite having "European" in the name, has nothing to do with European Union or European Commission

  40. the spectacularly refined chap

    Re: Bunch of petty autocrats

    Or anything at all to do with GDPR...

  41. Danny 14 Silver badge

    Re: Bunch of petty autocrats

    GDPR is hardly new. It has been brewing for 2 years now. Unfortunately some companies just cant be arsed doing anything about it.

  42. Martin Summers Silver badge

    The only use I had of WHOIS having my details is getting a random phone call from a chap wanting to buy my domain name off me, which back in 2003 I made about £600 for. Personally I'll be glad to see the back of it as I think it's completely unnecessary to have those details exposed. It's made a mockery of with privacy services anyway and I balk at the cost of those on top of the domain. It's not going to make any difference to anyone having this shut off, only the registrar and the naming authority need my details.

    What is going to be affected is verified SSL certificates, although I imagine there's an opportunity for registrars to make some money out of a verification API. I'm sure someone will be right on that.

  43. Ole Juul Silver badge

    "It's made a mockery of with privacy services anyway and I balk at the cost of those on top of the domain."

    Many registrars offer it for free.

  44. Tom Chiverton 1

    Gandi for instance

  45. itzman

    I think its fine to not have details public

    ..so long as domains that choose to remain private are clearly flagged by browsers, as potentially 'dodgy'

    And important part of malware email handling consists in finding out who they are from, or who they are redirecting you to.

  46. Spanners Silver badge

    Re: I think its fine to not have details public

    I am unclear why respect for someone's privacy makes their website any more prone to being dodgy.

    If I need to look into a website, for that trait, I see location as much more indicative.

    EU - least likely

    and so on......

    USA - could be. Who knows?

    Russia - bet it is

    I suppose it depends on what you consider dodgy. My criteria there is "takes my money and does not give me what I want/expect". Alternatively "takes my information and may deliberately pass it on to dodgy organisations like mafia, NSA, CIA, FSB or similar outposts of organised crime.

    If I do not know someone's name and home phone number to pass directly to a lawyer, this does not matter. If the laws are broken here, we have a look egalitarian system which can provide warrants in valid cases. This keeps pretend ones out of my hair!

  47. Lee D Silver badge

    Re: I think its fine to not have details public

    "And important part of malware email handling consists in finding out who they are from, or who they are redirecting you to."

    And you rely on the domain names given to be definitive, do you?

    If you want to handle malware, you go for the IP "whois" (e.g. AS lookup), which is an entirely different kettle of fish. But domain names resolve to IPs. What makes you think they can't just change the domain they are using in seconds?

    There's no practical reason to have publicly visible names and addresses (except of abuse contacts at the ISP in question) for anything any more. It used to be there so you COULD call up John Bloggs who worked at X University and talk about a problem with his system. Nowadays, that's just not feasible.

    And a vast, vast, vast portion of domains are now owned by private individuals. It's like requiring me to put my name, home address and phone number inside the front cover of every book I write, song I record, game I create, etc. which is just silly.

    It's outdated. It's illegal (always has been in the EU, which is why Nominet gave the whois opt-out for personal information - the GDPR is nothing more than ratification of DPA case law into written statute). It's stupid. And it's useless, because of the sheer number of ways to put fake information there because it has way less verification than even an SSL certificate. It should have died decades ago.

  48. Alumoi

    Re: I think its fine to not have details public

    Alternatively "takes my information and may deliberately pass it on to dodgy organisations like mafia, NSA, CIA, FSB or similar outposts of organised crime.

    So, Google, Facebook & the like, Apple, Microsoft, your bank, your ISP, your utility providers and the list goes on.

    Tinfoil much?

  49. Danny 14 Silver badge

    Re: I think its fine to not have details public

    not with GDPR in may. They will need your permission to do so, and specific permission too not a blanket catchall tick box.

  50. Ole Juul Silver badge

    Re: I think its fine to not have details public

    Would you be so kind as to put your email address in your sig please? Thanks.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018